Closed Bug 723246 Opened 12 years ago Closed 12 years ago

DATA PROTOCOL CROSS DOMAIN STEAL COOKIE

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
9 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 255107

People

(Reporter: jplopezy, Unassigned)

Details

Attachments

(1 file)

testcase.html
153 bytes, text/plain
Details
Attached file testcase.html 
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Build ID: 20111220165912

Steps to reproduce:


I'm seeing an old vulnerability of firefox 1 and one bug not has been repaired. Bug 294074.

URL : https://bugzilla.mozilla.org/show_bug.cgi?id=294074


Actual results:


The problem is the bug number 2 "Click here to steal your cookies on Bugzilla."

If you create a link to the protocol "data:" with a simple script that look the cookie is possible display the cookie of the same domain. This allow steal the cookie of the domain that we are seeing.

<a href="data:text/html,&lt;script&gt;document.write(document.cookie);&lt;/script&gt;">Click here to <strong>steal your cookies</strong> on Bugzilla.</a>

 


Expected results:


Today, many sites not allow javascript for prevent attacks. But allow links like "<a href='site'/>test</a>".

For this reason this bug is critical because someone can be inject this link and steal the cookie from forums, social networks,etc.

In conclusion is very easy write an exploit for this bug and steal the cookies from some domains.


Regards.
I'm going to unhide this because it's known behavior. There is a duplicate bug on this somewhere.

Much better for sites to whitelist http: and https: than to try to strip out "bad javascript:".
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: